[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

; Z1 ^# f4 @; m% t1 }: ^" @Keyboard Interrupt Hook using I/O APIC

By: chpie
7 ^# d6 F0 u7 d2 l$ x& `Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.

1 y7 z" Z7 B+ z% _& ^+ [5 W4 U% \
! p7 t. u# D& n+ `, NSummary :: Using the 8259a compatible PIC to be deliver the interrupt
1 k6 l4 q! @+ Q2 a: U% Lsignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
; t( u& x3 b+ |' v) p& wthe I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
; u( v1 k$ |- U7 u, C) g7 ~/ Hvector from the I/O APIC.

) S& e, E& G5 i. \Flow ::

% z  s/ L& K( ~2 F1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
0 z' {( E1 A1 B* N5. A processor receives the signal.
4 t9 ?, x+ o0 ~6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
! q1 p0 X. l' Y8. The processor Assert the second INTA signal.
  P) M7 Z) Q' t& b% d& p5 r. L7 L9. The I/O APIC delivers the signal to the 8259a compatible PIC
/ D# Z- y% x  ]for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

" A1 \5 d- r/ C, c5 L
1 V! V- S% E: _; d9 [1 [" Usourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip